Yes, I know this is a Bricklin list, however, the following is from one of the
many virus notifications lists I am a part of and I thought was very
informative. Just thought you'd like to have this for your own use or to
forward to suspect individuals ...
This is an update note to give consumers more information about KLEZ. In many
ways, KLEZ is a brand new type of virus, in that it combines a lot of
different modes to try to get you to open the document to be infected, and it
has a variety of new ways to "hide" itself so that it's harder to track down
who actually HAS the virus. I'll go over some of these, because we've
received a large number of calls and emails from people regarding this virus:
Virus content messages:
This virus, unlike many past viruses, has MULTIPLE MESSAGE TYPES. The virus
attempts to disguise itself as a game, a cure for itself, an update from
Microsoft, a "bounce" message from the postmaster, and other more traditional
messages. YOU CANNOT RELIABLY identify this virus by it's message.
This virus, unlike many past viruses, has MULTIPLE EXTENSION TYPES. The virus
disguises itself as .bat, .exe, .pif or .scr files. As a result YOU CANNOT
RELIABLY identify this virus by it's extension type (though you should never
open an emailed file with any of those extensions).
This virus, like many past viruses, has MULTIPLE SUBJECT HEADERS. The viruse
uses different subject headers from a randomized list, so YOU CANNOT RELIABLY
identify this virus by it's subject header.
This virus, unlike many other viruses, will AUTO EXECUTE if you haven't
applied the proper security patches to Outlook or Outlook express. Thus you
DO NOT HAVE TO OPEN THE ATTACHMENT to get infected if the virus gets through
your anti-virus shields, your security level is set to low and you do not
have the proper updates. It's essential that you patch your internet explorer
and OS up to date if using either Outlook or Outlook express on your box.
The only way to RELIABLY identify and squash this virus is by having an active
Antivirus, with up to date definitions, that scans all incoming and outgoing
mail. That is the ONLY way, and the best way.
Email return-address spoofing:
This virus contains it's own SMTP client. Thus you will NOT see sent mail
messages accumulating in your "sent mail" box if you're infected. At best
you'll notice things slow down on the internet.
This virus grabs it's email addresses from Outlook's contact list, Outlook
Express's Personal Address book, AOL's address book, web pages in your web
cache (in other words is scans the pages for mailto tags). So an email
address that Klez sends to (or from-see below) doesn't have to be in your
address book.
This virus, using it's SMTP client, will spoof the "From mail" address. What
this means is that the From address isn't a reliable way of tracking who the
email comes from. Klez, in a Klez infected computer, will search the contact
list, PAB and internet explorer cache for TWO email addresses - one to send
the message TO and one to send the message FROM. Thus, even if you don't HAVE
Klez - someone you know may get an email that appears to be FROM you (but
really isn't) with the virus attached. This has the net effect of confusing
the process of tracking down who has the virus. If you get a message from
someone saying - "Your computer is infected - it sent me a virus" - that may
not be the case. If you get a clean scan and you're not observing any
problems with your virus update procedure you are probably the victim of a
"From address spoof". You can point the accuser at this web page which
explains what this is in more detail
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.gen@mm.html
You can sometimes track down the actual culprit by looking at the full headers
of the original message. AOL for instance puts a header in x-apparently-from:
that indicates the actual email address of the sender. Other SMTP servers may
or may not provide such information. If you're getting a lot of KLEZ you
might want to try to track down which of your friends has it and notify them.
The headers are visible from the View/Options menu item in Outlook. Usually
the first SMTP server indicated is the one the virus originated from. Look
carefully at information on the sender there.
Faking administrative messages
Another way this virus spreads is by pretending to be a bounce message.
Normally if you send out an email to someone, and their server is down, you'll
get a message saying that the message bounced. The actual message you sent is
attached to the bounce message as an attachment - and the natural tendency is
to open it to see what it was you can't remember sending. Unfortunately
what's attached to these fake "bounce" messages is the virus, and when you
open it you get infected.
Spurious bounce messages don't mean you have the virus (someone else is
sending them to you).
Spurious bounce messages don't mean your machine is sending out the virus (the
bounce is sent to you from an infected machine, it's not an ACTUAL bounce).
Be careful when looking at a bounce message, particularly if you don't
remember sending the message. Double check the file extension.
Faking a "Cure"
This message sends itself out, with a very official looking body, to tell you
that it thinks your machine is infected, and here's a program to clean it.
Unfortunately the program to "clean it" is the virus itself, and you're
probably NOT already infected.
Only run cure or virus cleaning programs that you've downloaded directly from
Symantec, McAfee, Trend Micro or some reliable source - don't ever run ANY
program that someone just sends you in email.
Pretending to be a "game"
This virus also pretends to be a game that another person is sending you. A
game is an executable. Executables carry bad things. Don't open them :)
All in all, this virus has become quite pervasive because it uses a variety of
methods to try to infect your machine (what the virus pundits call a "blended
threat"). The VERY BEST thing you can do to protect yourself is to have
adequate virus scanning and adequate email virus protection on EVERY SINGLE
MACHINE that you use. The next thing you can do is to EDUCATE YOURSELF. If
you're a system admin, or even a single users, look at the list above and
learn to recognize the pattern when the virus comes in - don't just jump to
the conclusion that the person in the from address sent it, nor that you're
infected when you're not. The final thing you can do is to spend a little
time at the Windows Update site and be SURE your system is up to date and
patched up.
This concludes this viruswarning notice.
Lee Drake
Aztek Computer Solutions, Inc.
39 N. Goodman St.
Rochester, NY 14607
P: 716-242-2060 As of Nov 1st, 2002 585-242-2060
F: 716-242-9441 As of Nov 1st, 2002 585-242-9441
E: ldrake@azcomputer.net
W: www.azcomputer.net
/// unsubscribe/change address requests to majordomo@autox.team.net or try
/// http://www.team.net/mailman/listinfo
/// Archives at http://www.team.net/archive/bricklin
|